Consent Order Issued Against Equifax

On June 25, state financial regulatory agencies entered into a consent order with Equifax Inc., requiring the company to take specific action to protect confidential consumer information in the wake of an extensive security breach last year. Equifax, one of the country’s three major credit reporting agencies, disclosed on September 7, 2017, that a vulnerability in one of its websites was exploited by criminal hackers in May 2017 to gain access to the personal information of an estimated 146 million U.S. consumers. Data accessed included individual customer names, Social Security numbers, birth dates, addresses and related personally identifiable information.

In response to this breach, an examination team composed of state financial regulators from Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina and Texas commenced a multi-state examination of the company in November 2017 to evaluate the company’s information security and cybersecurity controls.

The conditions Equifax agreed to in the consent order require the company’s board to remediate the deficiencies and unsafe practices that contributed to the breach. The order subjects Equifax to periodic reporting to the multi-state regulatory agencies regarding remediation efforts. Subsequent onsite regulatory reviews are planned to validate actions reported by the company.

“After the breach was announced, my state counterparts and I believed strongly that a targeted regulatory response was required,” says Charles G. Cooper, Texas banking commissioner. “We took action and established a special multi-state examination team. This demonstrates the flexibility and responsiveness of the state financial regulatory system as we work together to protect all of our citizens.”

The consent order can be viewed on the Texas Department of Banking’s website at

Published in Bankers Digest July 9, 2018